Cybersecurity is a team sport that requires Program Management, Cyber/ Including Cybersecurity in the Contract Mix
|
|
- Cecily White
- 5 years ago
- Views:
Transcription
1 Including Cybersecurity in the Contract Mix Kimberly L. Kendall William E. Long, Jr. Cybersecurity is a team sport that requires Program Management, Cyber/ Information Technology, Engineering, Test and Evaluation, Finance, Logisticians and Contracting. In order to improve the survivability of our Department of Defense (DoD) systems under cyberattack, we must consider cybersecurity in the earliest phases of contract planning from acquisition planning to contract maintenance and closeout. If cybersecurity isn t properly integrated into the solicitation process we won t (1) know if the offerors are capable of delivering our cybersecurity requirements, (2) be able to discriminate between offeror proposals or (3) be able Kendall and Long are professors, respectively, of cybersecurity and contract management at the Defense Acquisition University s South Region in Huntsville, Alabama. Kendall, a retired Air Force colonel, is a former deputy division chief for Information Technology/Cyber Programs, Air Staff Information Dominance Directorate, Office of the Assistant Secretary of the Air Force for Acquisition. Long also performs consulting efforts for the Department of Defense and other federal agencies and participates as a subject-matter expert ensuring curriculum currency and enhancing processes within the contracting career field. He is the course manager for DAU s Contingency Contracting Course, CON
2 Figure 1. Contracting Touchpoints Across the Acquisition Life Cycle Materiel Solution Technology Engineering & LRIP Sustainment Analysis Maturation & Risk Manufacturing Reduction Development MDD CDD-V DRFPRD FRPDR Operations & Support Key to Figure: ICD=Initial Capabilities Document; CDD=Capability Development Document; CDD-V=Capability Development Document Validation; CPD=Capability Production Document; CDR=Critical Design Review; DRFPRD=Development Request for Proposals Release Decision; FOC=Full Operational Capability; FRPDR=Full-Rate Production Decision Review; LRIP=Low-Rate Initial Production; MDD=Materiel Development Decision; PDR=Preliminary Design Review; RFI=Request for Information; RFP=Request for Proposal Source: Adapted by authors from DAU s Cybersecurity and Acquisition Life-cycle Integration Tool to provide the proper oversight since we may not have asked for the appropriate data to monitor contract performance. Ensuring cybersecurity is appropriately addressed in the solicitation process involves more than selecting Federal Acquisition Regulation (FAR)-Defense Federal Acquisition Regulation Supplement (DFARS) clauses! Cybersecurity requirements, like other system requirements, underpin the solicitation process. Early involvement by the contracting officer is the key to successful incorporation of cybersecurity requirements into the Request for Proposal (RFP), source selection and post-award contractor execution activities. Additionally, contracting officers need to understand a program s cybersecurity requirements and risks to inform contract type selection. Figure 1 shows touch points in the life cycle where contracting solicitation activities should include cybersecurity considerations. Many cybersecurity requirements are included in the mandatory System Survivability Key Performance Parameter (KPP) because Cyber Survivability is now a key element. All cybersecurity-required capabilities (including those derived from the Risk Management Framework [RMF] process) are decomposed into the government-owned technical requirements baseline. Traceability and balance between cybersecurity requirements, security controls and mission needs is of critical importance. This is where the contracting officer can help the program manager (PM) make informed tradespace decisions. Cybersecurity requirements should be communicated with industry through various forums (e.g., Industry Days, Sources Figure 2. Putting Cybersecurity Requirements on Contract System Survivability KPP (Cyber elements) Understanding and Communicating Requirements Contracting for cybersecurity begins in the Requirements Phase. It is imperative that the contracting officer understand the program s cybersecurity requirements and construct a contracting strategy to determine whether offerors are capable of delivering those requirements. Risk Management Framework (RMF) Security Controls Authorization Security Boundary Applicable Laws, Regulations (e.g., FAR/DFARS) Test Requirements (Blue/Red Teams) Requirements Communication Industry Days Pre-Solicitation Notice RFI Requirements Procurement Specifications Request Contract (SRD/TRD) (RFP) Key: KPP=Key Performance Parameter; SRD=System Requirements Document; TRD=Technical Requirements Document; RFI=Request for Information; RFP=Request for Proposal Source: The authors 22
3 Sought Synopsis, Request for Information (RFI), one-on-one meetings, Draft RFP, Preproposal Conferences, etc.) and ultimately included in the final RFP. This will provide industry with a better understanding of the breadth and depth of cybersecurity requirements. See Figure 2. Source Selection Clearly communicated cybersecurity requirements provide potential offerors information on which to base their proposed solutions and provide DoD with measures to evaluate offeror capability and solutions. Cybersecurity risk should be a consideration when determining evaluation criteria to provide discriminators among proposals. The following are just a few resources providing examples of cybersecurity considerations that can be incorporated into the RFP: the Additional cybersecurity-related DFARS clauses include: DFARS Clause Compliance with Safeguarding Covered Defense Information Controls DFARS Clause Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information DFARS Clause Representation of Use of Cloud Computing DFARS Clause Cloud Computing Services DFARS Clause Notice of Supply Chain Risk DFARS Clause Supply Chain Risk The foregoing is not an all-inclusive, one-size-fits-all list, and...we need to incentivize contractor efforts beyond check the box minimum performance by incorporating specific incentives designed to encourage exceptional performance. DoD Program Manager s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle; the Guide for Integrating Systems Engineering into DoD Acquisition Contracts; Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into DoD Requests for Proposals; and Table 1 is a sampling of these considerations. FAR/DFARS Clauses and Public Law The procurement team should work together, but the contracting officer has the ultimate responsibility for FAR and the Defense FAR Supplement (DFARS) requirements. DoD Instruction (DoDI) , Change 3, Enclosure 14, specifically calls out the following: FAR Clause Security Requirements FAR Clause Basic Safeguarding of Covered Contractor Information Systems Section 933, National Defense Authorization Act, FY [Fiscal Year] 2013, Public Law Improvements in Assurance of Computer Software Procured by the Department of Defense DFARS Clause Safeguarding Covered Defense Information and Cyber Incident Reporting Section 937, National Defense Authorization Act, FY 2013, Public Law Joint Federated Center for Trusted Defense Systems for the Department of Defense contracts should be based on individual program requirements and risk! Effective Cybersecurity Government Oversight To determine if cybersecurity requirements are being implemented effectively, the right data and tools need to be written into the contract. The following are examples of data, artifacts and/or activities that we might monitor: Software vulnerability scans (static and dynamic) Formal code inspections Software quality measures and configuration control Test coverage Incentivize Cybersecurity Performance Incentives are fundamental elements of any contract. The contract itself motivates successful performance from a monetary standpoint, future relevant work and brand reputation. However, since cybersecurity historically has been treated as a compliance checklist, perhaps we need to incentivize contractor efforts beyond check the box minimum performance by incorporating specific incentives designed to encourage exceptional performance. In the face of ever-increasing cyber threats, cybersecurity may be a critical risk area necessitating extra effort to mitigate those risks. There can be a combination of financial and nonfinancial incentives, including improved cash flow, increased business 23
4 Table 1. Request for Proposal (RFP) Sample Cybersecurity Considerations Section B Section C Section E Section F Section H Seciton I Section J Section K Section L Section M Request for Proposal Supplies or services and prices/costs Review all CDRL deliverables for inclusion of cybersecurity execution support (e.g., data rights, test data, test plans, source code deliveries, prototype quantity, and delivery times and/or locations). Description/Specification/Statement of Work State in performance-based terms cybersecurity requirements levied on the contractor. Include cybersecurity system/technical requirements in the SRD/TRD. Identify the system RMF categorization, overlays, RMF security controls to inform scope. Identify any specific design, contractor testing or artifacts that enable compliance with cybersecurity requirements. Inspection and acceptance Ensure that a quality assurance surveillance plan exists to monitor contractor performance, including cybersecurity. Deliveries or performance Ensure that cybersecurity-related items are addressed like any other type of requirement (e.g., test article delivery, contractor support for repair, etc.). Special contract requirements List applicable cybersecurity special contract requirements (e.g., handling of data, software license management and maintenance, use of contractor facilities for cybersecurity testing). Contract clauses Cybersecurity-specific contract clauses should be considered. List of attachments Consider applicable cybersecurity attachments (e.g., a DoD component RMF Guide, Program Protection Plan). Representations, Certifications, and Other Statements of Offerors or Respondents Include requests for certification that support the cybersecurity strategy (e.g., National Security Agency certifications of cryptographic algorithms or equipment, and certification of cross domain solutions). Instructions, Conditions, and Notices to Offerors or Respondents Describe the experience of cybersecurity staff, predicted staffing levels, and the application of cybersecurity best practices and its alignment with the contractor management structures for SSE and T&E. Define the contractor s responsibilities for cybersecurity and the alignment of those responsibilities in contrast to the government for required SSE and T&E activites (e.g., contractor cybersecurity testing, developmental testing, and integrated testing). Describe the contractor s approach for technical data, including management, ownership, control, timely access, and delivery of all cybersecurity data, including raw test data, to support the evolving technical baseline. Define CDRLs and select applicable DIDs. Identify any cybersecurity-related data products contractors must provide. Describe contractor s approach for satisfying the Program Protection Plan. Describe contractor s approach for detecting counterfeit components and use of cyber-certified products for hardware and software. Describe the contractor s access to government cyber ranges, use of commercial and/or government Blue and/or Red teams during cybersecurity testing. Evaluation Factors for Award Prior performance in integrating cybersecurity considerations into the program s SE, SSE and T&E processes. Meet cybersecurity workforce certification and training requirements in DoDD and DoD M, and investigative requirements per DoDI Prior support to government achieving cost-effective cybersecurity authorizations to operate. Define measures and metrics clearly to evaluate qualification of contractor cybersecurity staff. Degree to which cybersecurity is included in design trade analysis. Degree to which security testing is integrated into software development. Degree to which supply chain risk management ensures security and integrity of sourced components. Degree to which supply chain diversity is implemented. Key to Table: CDRL=Contract Data Requirements List; DID=Data Item Description; DoDI=DoD Instruction; DoDD=DoD Directive; RMF= Risk Management Framework; SE=Systems Engineering; SRD=System Requirements Document; SSE=Systems Security Engineering; T&E=Test and Evaluation; TRD=Technical Requirements Document. Sources: DoD Program Manager s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle; the Guide for Integrating Systems Engineering into DoD Acquisition Contracts; Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into DoD Requests for Proposals; and 24
5 base and stable workforce employment. Incentives also can be either positive, negative or a combination of both. They should be applied selectively to motivate contractor efforts that otherwise might not be emphasized and to discourage suboptimal performance. When it comes to incentives, we must always strive to have a better understanding of what incentives do and make sure that we re incentivizing the correct behavior. Early market research is the key to doing this successfully. For one thing, in using multiple incentive arrangements, we need to ensure that we always include a cost incentive so that the contractor doesn t exceed contractual costs by chasing that incentive. We also need to ensure that multiple incentives are not driving suboptimal performance in other areas or contradicting one another. The development of an effective acquisition strategy begins with understanding the program s cybersecurity requirements and making a thorough evaluation of risk. Contract incentives must properly motivate the contractor. Hence, we must understand factors that are most important to the contractor. Contract Type Challenges for Cybersecurity Factors to consider when selecting a contract type include (1) performance risk and uncertainty, (2) urgency, complexity and stability of the requirement, (3) competition and (4) technology maturity. A challenge for cybersecurity is the availability of historical cost and pricing data as we build cybersecurity into the design of systems as opposed to using a previous compliance checklist approach. The ever-increasing cyber threat drives up uncertainty as new vulnerabilities are discovered daily. As we tackle this threat, the contract type needs to give us the flexibility to make adjustments as we learn what is feasible and affordable. Summary The contracting community has a crucial role to play in ensuring cybersecurity requirements are effectively included in the contract. This starts with gaining a complete understanding of the program requirements so that the solicitation can be effectively constructed to differentiate between competing offerors proposals and determine their capability to deliver cybersecurity. The program management office needs to effectively communicate requirements to industry partners so they understand the scope of those requirements. This cannot be done effectively without early engagement on the part of the contracting officer. The authors can be contacted at kim.kendall@dau.mil and william.long@dau.mil. Defense ARJ and Defense AT&L Online-only for individual subscribers Online presence for easier use on mobile and desktop devices: Please subscribe or resubscribe so you will not miss out on accessing future publications. Send an to darjonline@dau.mil and/or datlonline@dau.mil, giving the address you want us to use to notify you when a new issue is posted. Type Add to LISTSERV in the subject line. Also use this address to notify us if you change your address. 25
OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC
OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC 20301-3000 ACQUISITION, TECHNO LOGY. A N D LOGISTICS SEP 2 1 2017 MEMORANDUM FOR COMMANDER, UNITED ST A TES SPECIAL OPERATIONS
More informationT&E Workforce Development
T&E Workforce Development 2016 ITEA Cyber Security Workshop Mr. Thomas W. Simms Deputy Director, T&E Competency & Development Deputy Assistant Secretary of Defense (DT&E) March 17, 2016 Agenda Policy Overview
More informationProgram Protection Implementation Considerations
Program Protection Implementation Considerations Melinda Reed Deputy Director for Program Protection Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Program Protection
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationISA 201 Intermediate Information Systems Acquisition
ISA 201 Intermediate Information Systems Acquisition 1 Lesson 8 (Part A) 2 Learning Objectives Today we will learn to: Overall: Apply cybersecurity analysis throughout acquisition lifecycle phases. Analyze
More informationTHE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017
THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC 20301-3010 ACQUISITION, TECHNOLOGY AND LOGISTICS January 11, 2017 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF
More informationShift Left: Putting the Process Into Action
U.S. ARMY EVALUATION CENTER Shift Left: Putting the Process Into Action March 30, 2017 Agenda The Evaluator s Motivation Where We Were Guidance and Policy Putting it into Action 2 The Evaluator s Motivation
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationCybersecurity in Acquisition
Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must
More informationAchieving DoD Software Assurance (SwA)
Achieving DoD Software Assurance (SwA) Thomas Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering 20th Annual NDIA Systems Engineering Conference Springfield, VA October 26,
More informationUNCLASSIFIED. FY 2016 Base FY 2016 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense : February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development
More informationDefense Engineering Excellence
Defense Engineering Excellence Kristen J. Baldwin Principal Deputy Office of the Deputy Assistant Secretary of Defense for Systems Engineering, OUSD(AT&L) 18th Annual NDIA Systems Engineering Conference
More informationCybersecurity Planning Lunch and Learn
Cybersecurity Planning Lunch and Learn Mr. Tyrone Ty Theriot, CNE Tyrone.Theriot@dau.mil 703-805-4983 3 May 2017 Presenter: Ty Theriot Moderator: LtCol Stephani Hunsinger LtCol Stephani Hunsinger USAF,
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationCybersecurity Challenges
Cybersecurity Challenges Protecting DoD s Information NAVSEA Small Business Industry Day August 8, 2017 1 Outline Protecting DoD s Information DFARS Clause 252.204-7012 Contractor and Subcontractor Requirements
More informationRocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency
Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationIMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION
IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov Cybersecurity Threats are
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationPilieroMazza Webinar Preparing for NIST SP December 14, 2017
PilieroMazza Webinar Preparing for NIST SP 800-171 December 14, 2017 Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com (202)
More informationApril 25, 2018 Version 2.0
April 25, 2018 Version 2.0 Table of Contents Introduction... 1 1.1 Organization of This Guidebook... 1 1.2 Audience... 2 1.3 Applicability... 2 1.4 Terminology... 2 Cybersecurity Policies and Guidance
More informationOffice of Acquisition Program Management (OAPM)
Office of Acquisition Program Management (OAPM) Ron Gallihugh Assistant Administrator Airport Consultants Council July 18, 2017 Acquisition Reform Historically, Transportation Security Administration (TSA)
More informationOSD Product Support BCA Guidebook. Joseph Colt Murphy Senior Financial Analyst ODASD Materiel Readiness 9 May 2011
OSD Product Support BCA Guidebook Joseph Colt Murphy Senior Financial Analyst ODASD Materiel Readiness 9 May 2011 Joseph.murphy@osd.mil Introduction Product Support BCA Guidebook Draft document Final review
More informationLooking Forward: USACE MILCON Cybersecurity Integration
Energy Exchange 2017 - Track 4 - Cyber and Control System Technologies, Session 2 - Understanding and implementing the RMF Process Looking Forward: USACE MILCON Cybersecurity Integration Mr. Daniel Shepard
More informationImplementing a Modular Open Systems Approach (MOSA) to Achieve Acquisition Agility in Defense Acquisition Programs
Implementing a Modular Open Systems Approach (MOSA) to Achieve Acquisition Agility in Defense Acquisition Programs Philomena Zimmerman Office of the Deputy Assistant Secretary of Defense for Systems Engineering
More informationROADMAP TO DFARS COMPLIANCE
ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated
More informationDEPARTMENT OF HEALTH and HUMAN SERVICES. HANDBOOK for
DEPARTMENT OF HEALTH and HUMAN SERVICES HANDBOOK for FEDERAL ACQUISITION CERTIFICATION PROGRAM/PROJECT MANAGERS Issuer Office of the Secretary Office of the Assistant Secretary for Financial Resources
More informationSession 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security
Session 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security An Overview of Recent Changes to ISO 20000 Ron Lester Enterprise Service Management Consultant, Information Technology
More informationMDA Acquisition Updates
MDA Acquisition Updates Laura M. DeSimone Director for Acquisition & Karla Smith Jackson Director of Contracts Missile Defense Agency May 15, 2018 Distribution Statement A:, distribution is unlimited.
More informationToday s cyber threat landscape is evolving at a rate that is extremely aggressive,
Preparing for a Bad Day The importance of public-private partnerships in keeping our institutions safe and secure Thomas J. Harrington Today s cyber threat landscape is evolving at a rate that is extremely
More informationTest and Evaluation Methodology and Principles for Cybersecurity
Test and Evaluation Methodology and Principles for Cybersecurity Andrew Pahutski Deputy Director; Cyber & Information Systems Office of the Secretary of Defense (OSD) Developmental Test and Evaluation
More informationJoint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?
21 st Annual National Defense Industrial Association Systems and Mission Engineering Conference Joint Federated Assurance Center (JFAC): 2018 Update Thomas Hurt Office of the Under Secretary of Defense
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationOFFICE OF THE SECRETARY OF DEFENSE DEFENSE PENTAGON WASHINGTON, DC MEMORANDUM FOR MEMBERS OF THE ACQUISITION WORKFORCE
OFFICE OF THE SECRETARY OF DEFENSE 1 000 DEFENSE PENTAGON WASHINGTON, DC 20301-1000 ocr 3 o 2015 MEMORANDUM FOR MEMBERS OF THE ACQUISITION WORKFORCE SUBJECT: Guidance on Cybersecurity Implementation in
More informationSystems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities
Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities Melinda Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering
More informationDOD Medical Device Cybersecurity Considerations
Enedina Guerrero, Acting Chief, Incident Mgmt. Section, Cyber Security Ops Branch 2015 Defense Health Information Technology Symposium DOD Medical Device Cybersecurity Considerations 1 DHA Vision A joint,
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Deployment Deployment is the phase of the system development lifecycle in which solutions are placed into use to
More informationAcquisition and Intelligence Community Collaboration
Acquisition and Intelligence Community Collaboration Kristen Baldwin Deputy Director, Software Engineering and System Assurance Office of the Deputy Under Secretary of Defense (Acquisition and Technology)
More informationGovernment Contracting. Tech-Savvy World. in a. October InterContinental Miami. Miami, Florida
Government Contracting in a Tech-Savvy World October 30-31 2014 InterContinental Miami Miami, Florida 2014 Fall Program Government Contracting in a Tech-Savvy World October 30-31, 2014 InterContinental
More informationThe Perfect Storm Cyber RDT&E
The Perfect Storm Cyber RDT&E NAVAIR Public Release 2015-87 Approved for public release; distribution unlimited Presented to: ITEA Cyber Workshop 25 February 2015 Presented by: John Ross NAVAIR 5.4H Cyberwarfare
More informationAMRDEC CYBER Capabilities
Presented to: HAMA AMRDEC CYBER Capabilities Distribution Statement A: Approved for public release: distribution unlimited 08 July 16 Presented by: Julie Locker AMRDEC Cyber Lead U.S. Army Aviation and
More informationSafeguarding unclassified controlled technical information (UCTI)
Safeguarding unclassified controlled technical information (UCTI) An overview Government Contract Services Bulletin Safeguarding UCTI An overview On November 18, 2013, the Department of Defense (DoD) issued
More informationDEPARTMENT OF THE AIR FORCE PRESENTATION TO THE SUBCOMMITTEE ON STRATEGIC FORCES U.S. HOUSE OF REPRESENTATIVES
NOT FOR PUBLICATION UNTIL RELEASED BY THE UNITED STATES HOUSE OF REPRESENTATIVES DEPARTMENT OF THE AIR FORCE PRESENTATION TO THE U.S. HOUSE OF REPRESENTATIVES SUBJECT: Assuring National Security Space:
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationUNCLASSIFIED. UNCLASSIFIED R-1 Line Item #49 Page 1 of 10
Exhibit R-2, PB 2010 Office of Secretary Of Defense RDT&E Budget Item Justification DATE: May 2009 3 - Advanced Technology Development (ATD) COST ($ in Millions) FY 2008 Actual FY 2009 FY 2010 FY 2011
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationPreparing for NIST SP January 23, 2018 For the American Council of Engineering Companies
Preparing for NIST SP 800-171 January 23, 2018 For the American Council of Engineering Companies Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com
More informationSECTION 10 CONTRACTING FOR PROFESSIONAL SERVICES CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA)
SECTION 10 CONTRACTING FOR PROFESSIONAL SERVICES CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA) 10.0 INTRODUCTION The purpose of this procedure is to provide guidance for hiring professional firms for architectural,
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationCybersecurity and Program Protection
Cybersecurity and Program Protection Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering 19 th Annual NDIA Systems Engineering Conference Springfield, Virginia October
More informationAchilles System Certification (ASC) from GE Digital
Achilles System Certification (ASC) from GE Digital Frequently Asked Questions GE Digital Achilles System Certification FAQ Sheet 1 Safeguard your devices and meet industry benchmarks for industrial cyber
More informationEngineering Cyber Resilient Weapon Systems
Engineering Cyber Resilient Weapon Systems Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) 20th Annual NDIA Systems Engineering Conference Springfield,
More informationFPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details
FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details 2 FPM IT 420B: FAC P/PM IT Planning & Acquiring Operations of IT Systems FPM-IT-420B: FAC-P/PM-IT PLANNING & ACQUIRING
More informationAdvancing Sustainment through Public-Private Partnership
Air Force Sustainment Center Advancing Sustainment through Public-Private Partnership Mr. Earl Williams AFSC/LGXB 21 August 2017 Version 1 1 Overview Public-Private Partnerships Public-Private Partnerships
More informationDoD Strategy for Cyber Resilient Weapon Systems
DoD Strategy for Cyber Resilient Weapon Systems Melinda K. Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Systems Engineering Conference October 2016 10/24/2016 Page-1
More informationENCORE II REQUIREMENTS CHECKLIST AND CERTIFICATIONS
ENCORE II REQUIREMENTS CHECKLIST AND CERTIFICATIONS This form is completed by the Task Monitors and forwarded to DISA/DITCO-Scott with a complete ENCORE II Requirements Package. (electronic signatures
More informationSoftware Test & Evaluation Summit/Workshop Review
Software Test & Evaluation Summit/Workshop Review The Summit/Workshop was facilitated by the NDIA Systems Engineering Division s Software Industry Experts Panel and the Developmental Test and Evaluation
More informationGLOBAL THREAT REDUCTION INITIATIVE DOMESTIC SOURCE SECURITY OVERVIEW
GLOBAL THREAT REDUCTION INITIATIVE DOMESTIC SOURCE SECURITY OVERVIEW GTRI Mission Mission: Reduce and protect vulnerable nuclear and radiological material located at civilian sites worldwide Goals: Convert
More informationRisk Management Framework for DoD Medical Devices
Risk Management Framework for DoD Medical Devices Session 136, March 7, 2018 Lt. Col. Alan Hardman, Chief Operations Officer, Cyber Security Division, Office of the DAD IO/J-6 William Martin, Deputy of
More informationSALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually
SALARY $49.72 - $72.54 Hourly $3,977.88 - $5,803.27 Biweekly $8,618.75 - $12,573.75 Monthly $103,425.00 - $150,885.00 Annually ISSUE DATE: 03/21/18 THE POSITION DIRECTOR OF CYBER SECURITY OPEN TO THE PUBLIC
More informationUniversity of Hawaii REQUEST FOR INFORMATION Strategic Communication Service Platform
University of Hawaii REQUEST FOR INFORMATION Strategic Communication Service Platform 1.0 EXECUTIVE SUMMARY The University of Hawaii System (University) seeks responses to this Request for Information
More informationSystems Engineering Update/SD-22
Systems Engineering Update/SD-22 Presented to the Parts Standardization & Management Committee October 30 - November 1, 2012 IDA 4850 Mark Center Drive Alexandria, Virginia 22311 Outline News from the
More informationNDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.
NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly. Dunlap@Raytheon.com This document does not contain technology or Technical Data controlled
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationSection One of the Order: The Cybersecurity of Federal Networks.
Summary and Analysis of the May 11, 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Introduction On May 11, 2017, President Donald
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationAppendix 2B. Supply Chain Risk Management Plan
Granite Telecommunications, LLC. 100 Newport Ave. Ext. Quincy, MA 02171 Appendix 2B Supply Chain Risk Management Plan This proposal or quotation includes data that shall not be disclosed outside the Government
More informationCybersecurity Testing
Cybersecurity Testing Tim Palmer Chief Technical Advisor, SAS Business Unit Torch Technologies, Inc. EXPERTISE // INNOVATION // CUSTOMER FOCUS // EXCELLENCE // INTEGRITY // COOPERATION // RELIABILITY About
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationCyber Security For Business
Cyber Security For Business In today s hostile digital environment, the importance of securing your data and technology cannot be overstated. From customer assurance, liability mitigation, and even your
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationSeagate Supply Chain Standards and Operational Systems
DATA IS POTENTIAL Seagate Supply Chain Standards and Operational Systems Government Solutions Henry Newman May 9 2018 Supply Chain Standards and Results Agenda 1. 2. SUPPLY CHAIN REQUIREMENTS AND STANDARDS
More informationCyber Security Challenges
Cyber Security Challenges Navigating Information System Security Protections Vicki Michetti, DoD CIO, Director, DIB Cybersecurity Program Mary Thomas, OUSD(AT&L), Defense Procurement and Acquisition Policy
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationTRIAEM LLC Corporate Capabilities Briefing
TRIAEM LLC Corporate Capabilities Briefing 3/4/ 1 CORPORATE OVERVIEW CORPORATE VALUES MISSION STATEMENT SERVICES WORKFORCE EXPERIENCE CORPORATE CONTACTS 3/4/ 2 CORPORATE OVERVIEW TRIAEM is certified through
More informationCRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS
CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS Approved By: Executive: Accreditation: Mpho Phaloane Revised By: RBI STC Working Group Members Date
More informationUNCLASSIFIED. R-1 Program Element (Number/Name) PE D8Z / Software Engineering Institute (SEI) Applied Research. Prior Years FY 2013 FY 2014
Exhibit R-2, RDT&E Budget Item Justification: PB 2015 Office of Secretary Of Defense Date: March 2014 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 2: COST ($ in Millions) Prior Years
More informationModular Open Systems Approach (MOSA) Panel on Standards
Modular Open Systems Approach (MOSA) Panel on Standards Ms. Phil Zimmerman Deputy Director, Engineering Tools and Environments Office of the Deputy Assistant Secretary of Defense on Systems Engineering
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationCyber Update Mr. Paul Phillips AFLCMC/WNSA (937) May 17
Cyber Update Mr. Paul Phillips AFLCMC/WNSA (937) 255-2328 Paul.phillips.12@us.af.mil 9 May 17 Disclaimer: The information provided herein represents the Government s best understanding of the procurement
More informationNDAA Section 804 Accelerated Test, Evaluation and Certification What is it and How Will it Impact IT Acquisitions?
NDAA Section 804 Accelerated Test, Evaluation and Certification What is it and How Will it Impact IT Acquisitions? Prepared for 14 th Annual NDIA Systems Engineering Conference Integrated Test Strategies
More informationTechnical Conference on Critical Infrastructure Protection Supply Chain Risk Management
Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability
More informationFOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY
FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY The Foundation Certificate in Information Security (FCIS) course is designed to provide
More informationUNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO
COST ($ in Millions) FY 2011 FY 2012 Base OCO Total FY 2014 FY 2015 FY 2016 FY 2017 Cost To Complete Total Cost Total Program Element 8.306 7.299 10.429-10.429 11.464 12.492 12.840 13.010 Continuing Continuing
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationDoD Systems Engineering Update
DoD Systems Engineering Update Kristen Baldwin Principal Deputy, Office of the Deputy Assistant Secretary of Defense for Systems Engineering (ODASD(SE)) NDIA Systems Engineering Division Meeting March
More informationAdvanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin
Advanced Technology Academic Research Council Federal CISO Summit Ms. Thérèse Firmin Acting Deputy DoD CIO Cyber Security Department of Defense 25 January 2018 2 Overview Secretary Mattis Priorities Cybersecurity
More informationTraining and Certifying Security Testers Beyond Penetration Testing
Training and Certifying Security Testers Beyond Penetration Testing Randall W. Rice, CTAL (Full), CTAL-SEC Director, ASTQB Board of Directors www.astqb.org Most organizations do not know the true status
More informationFederal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats
May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More information2017 SAME Small Business Conference
2017 SAME Small Business Conference Welcome to Cybersecurity Initiatives and Speakers: Requirements: Protecting DOD s Unclassified Information Vicki Michetti, Director, Defense Industrial Base Cybersecurity
More informationEngineered Resilient Systems Advanced Analytics and Modeling in Support of Acquisition
Engineered Resilient Systems Advanced Analytics and Modeling in Support of Acquisition David R. Richards Lead Technical Director for ERS US Army Engineer Research and Development Center (ERDC) Research
More informationAssessing the impacts of Amended Toxic Substances Control Act (TSCA) to the DoD Mission and the Defense Industrial Base (DIB)
One team, one voice delivering global acquisition insight that matters. Assessing the impacts of Amended Toxic Substances Control Act (TSCA) to the DoD Mission and the Defense Industrial Base (DIB) DIB
More informationNETWORX PROGRAM INDIVIDUAL SMALL BUSINESS SUBCONTRACTING PLAN IDIQ TASK ORDER BASED
NETWORX PROGRAM INDIVIDUAL SMALL BUSINESS SUBCONTRACTING PLAN IDIQ TASK ORDER BASED Company Name: Qwest Government Services, Inc. (QGSI) Address: 4250 N. Fairfax Drive Arlington, VA 22203 Date Submitted:
More information